August 9, 2017

Carson City, NV – Today, Nevada Attorney General Adam Paul Laxalt, along with 31 other states and the District of Columbia, announced a $5.5 million settlement with Nationwide Mutual Insurance Company and its subsidiary, Allied Property & Casualty Insurance Company (collectively “Nationwide”). The settlement resolves the states’ investigation into Nationwide’s October, 2012 data breach that resulted in the loss of personal information belonging to 1.27 million consumers. The data breach was alleged to have been caused by Nationwide’s failure to apply a critical security patch, resulting in the loss of social security numbers, driver’s license numbers, credit scoring information and other personal data.

The lost personal information was collected by Nationwide in order to provide insurance quotes to consumers applying for insurance. Yet, many of the consumers affected by the data breach were consumers who never became Nationwide’s insureds; the company retained their data in order to more easily provide the consumers updated quotes at a later date.

“As criminals become increasingly sophisticated, the number of corporate data breaches continues to rise,” said Laxalt. “My office is committed to combatting high-tech crime and keeping the identities and personal information of Nevadans safe.”

Under the terms of the settlement, Nationwide has agreed to make a payment of $5.5 million to the state attorneys general. The company is required to be more transparent about its data collection practices by disclosing to consumers that it retains their personal information even if they do not become its customers. The settlement additionally requires Nationwide to take a number of steps to generally update its security practices and to ensure the timely application of patches and other updates to its security software. Nationwide must also hire a technology officer responsible for monitoring and managing software and application security updates. Additionally, Nationwide agreed to take specific steps during the next three years to strengthen its security practices.